# All Next Steps — Consolidated List **Last Updated:** 2026-02-08 **Purpose:** Single ordered list of everything left to do (Dev/Codespaces + general operator). **Run-order:** [NEXT_STEPS_INDEX.md](NEXT_STEPS_INDEX.md) → [OPERATOR_READY_CHECKLIST.md](OPERATOR_READY_CHECKLIST.md); completable first: `./scripts/run-completable-tasks-from-anywhere.sh`, then `./scripts/run-all-operator-tasks-from-lan.sh` from LAN. **References:** [DEV_CODESPACES_NEXT_STEPS_CHECKLIST.md](../04-configuration/DEV_CODESPACES_NEXT_STEPS_CHECKLIST.md) | [NEXT_STEPS_OPERATOR.md](NEXT_STEPS_OPERATOR.md) **Completion evidence:** [DEV_CODESPACES_COMPLETION_20260207.md](../04-configuration/verification-evidence/DEV_CODESPACES_COMPLETION_20260207.md) **Secrets & remaining actions:** [REMAINING_ITEMS_DOTENV_AND_ACTIONS.md](../04-configuration/REMAINING_ITEMS_DOTENV_AND_ACTIONS.md) --- ## Completed 2026-02-07 (automated/scripted) - **Fourth NPMplus:** Script fixed to use NPM_URL_FOURTH; run requires first-time login and `NPM_PASSWORD_FOURTH` in `.env`. Placeholder added in `.env`. - **SSH keys:** `scripts/dev-vm/add-dev-user-ssh-keys.sh` added — adds one public key to dev1–dev4 on CT 5700 via Proxmox host. - **Security:** `scripts/security/run-security-on-proxmox-hosts.sh` added — SSH key-only + UFW 8006 on all three Proxmox hosts (default dry-run; `--apply` when ready). - **Verification:** dev.d-bis.org, gitea.d-bis.org, codespaces.d-bis.org return HTTP 200; pve.* and 76.53.10.40 time out from workspace (verify from LAN if needed). --- ## Already done (no action) - Fourth NPMplus LXC 10236 at 192.168.11.170; NPMplus + cloudflared installed; tunnel connector running (systemd). - Dev VM 5700 at 192.168.11.59; users dev1–dev4, Gitea; tunnel + DNS configured. - UDM Pro port forward 76.53.10.40 → 192.168.11.170 (80/81/443) and → 192.168.11.59 (22, 3000). --- ## 1. Dev/Codespaces — Fourth NPMplus proxy hosts — **DONE (2026-02-08)** All six proxy hosts added (script + same credentials). Let's Encrypt (Certbot) requested in UI; all six show **Online**, TLS Certbot, Public. No further action. --- ## 2. Dev/Codespaces — SSH keys for dev1–dev4 — **DONE (2026-02-08)** Keys added via `add-dev-user-ssh-keys.sh` from repo root. Test: `ssh dev1@192.168.11.59`. --- ## 3. Dev/Codespaces — Gitea first-run — **DONE (2026-02-08)** Installer completed (git user, SQLite, paths under /opt/gitea/data, app.ini writable). Create repos in UI at https://gitea.d-bis.org as needed. --- ## 4. Dev/Codespaces — Rsync projects + dotenv — **DONE (partial; re-run for full sync)** Initial rsync run from repo root; large tree may need a second run from your terminal: `cd ~/projects/proxmox && bash scripts/dev-vm/rsync-projects-to-dev-vm.sh` Ensure dotenv files are under `/srv/projects` (see [DEV_CODESPACES_76_53_10_40.md § 6](../04-configuration/DEV_CODESPACES_76_53_10_40.md#6-dotenv-files-include-in-dev-vm--accessibility)). --- ## 5. Dev/Codespaces — Gitea repos and remotes — **DONE (2026-02-08)** Org **d-bis** and 18 repos created. **Pushed** to Gitea: proxmox (master), dbis_core (main), smom-dbis-138 (main), miracles_in_motion (main). Future pushes: use `GITEA_TOKEN` with `scripts/dev-vm/push-to-gitea.sh`. --- ## 6. Dev/Codespaces — Verification — **DONE (2026-02-08)** - **HTTPS:** dev.d-bis.org, gitea.d-bis.org, codespaces.d-bis.org → 200. pve.* and 76.53.10.40 verify from LAN if needed. - **SSH:** `ssh dev1@192.168.11.59` confirmed; projects visible under `/srv/projects/`. Cursor Remote-SSH → `/srv/projects/proxmox`. - **Proxmox:** Confirm noVNC/console for pve.ml110, pve.r630-01, pve.r630-02 from browser when on LAN. --- ## 7. General — Bridge (W0-2) **Secrets:** **PRIVATE_KEY** in **smom-dbis-138/.env**; **same wallet** holds **LINK** for bridge fees. **Check:** `bash scripts/bridge/run-send-cross-chain.sh 0.01 --dry-run` (already verified). **To run real:** `bash scripts/bridge/run-send-cross-chain.sh 0.01` --- ## 8. General — Security (W1-1, W1-2) **Check:** Ensure SSH key login works to all three hosts before --apply. **Run from repo root:** `bash scripts/security/run-security-on-proxmox-hosts.sh --apply` (disables password SSH, restricts 8006 to 192.168.11.0/24). No .env secrets needed. --- ## 9. General — 2506–2508 (destroyed 2026-02-08) Containers 2506, 2507, 2508 were **destroyed 2026-02-08** on all Proxmox hosts. Besu RPC range is **2500–2505** only. No JWT/identity action for 2506–2508. See [MISSING_CONTAINERS_LIST.md](../03-deployment/MISSING_CONTAINERS_LIST.md). --- ## 10. General — Explorer SSL If explorer.d-bis.org shows certificate warning: NPMplus at https://192.168.11.167:81 → SSL Certificates → Let's Encrypt for explorer.d-bis.org → assign to proxy host, Force SSL. See [EXPLORER_TROUBLESHOOTING.md](../04-configuration/EXPLORER_TROUBLESHOOTING.md). --- ## 11. General — NPMplus cert 134 (cross-all.defi-oracle.io) If verification reports "cert files missing": NPMplus at https://192.168.11.167:81 → SSL Certificates → find cross-all.defi-oracle.io → re-request Let's Encrypt or re-save to restore cert files. --- ## 12. General — Wave 2 & 3 Per [WAVE2_WAVE3_OPERATOR_CHECKLIST.md](WAVE2_WAVE3_OPERATOR_CHECKLIST.md): monitoring stack, Grafana + Cloudflare Access, VLAN enablement, CCIP Ops/Admin (5400–5401), DBIS services, NPMplus HA (optional), CCIP Fleet, Phase 4 tenant isolation. (2506–2508 destroyed 2026-02-08.) --- ## 13. General — Smart contracts (deploy and verify) **Secrets:** PRIVATE_KEY (and RPC_URL_138, LINK_TOKEN_CHAIN138, CCIPWETH9_BRIDGE_CHAIN138) in **smom-dbis-138/.env**. Same wallet for deployment and bridge (holds LINK). **Remaining:** Deploy any contracts not yet deployed; verify on Blockscout. - **Deploy (Chain 138):** `cd smom-dbis-138 && source .env && bash scripts/deployment/deploy-all-contracts.sh` (or `deploy-contracts-unified.sh --mode ordered`). WETH bridge: `GAS_PRICE=1000000000 ./scripts/deploy-and-configure-weth9-bridge-chain138.sh` from repo root. - **Verify:** `source smom-dbis-138/.env && ./scripts/verify/run-contract-verification-with-proxy.sh` **References:** [CONTRACT_DEPLOYMENT_RUNBOOK.md](../03-deployment/CONTRACT_DEPLOYMENT_RUNBOOK.md), [CONTRACTS_TO_DEPLOY.md](../11-references/CONTRACTS_TO_DEPLOY.md), [REMAINING_ITEMS_DOTENV_AND_ACTIONS.md § 13](../04-configuration/REMAINING_ITEMS_DOTENV_AND_ACTIONS.md#13-smart-contracts--deploy-and-verify). --- ## Quick command index | Goal | Command | |------|---------| | Fourth NPMplus proxy hosts | `NPM_PASSWORD_FOURTH='...' bash scripts/nginx-proxy-manager/update-npmplus-fourth-proxy-hosts.sh` | | Add dev user SSH keys | `PUBLIC_KEY="$(cat ~/.ssh/id_ed25519.pub)" bash scripts/dev-vm/add-dev-user-ssh-keys.sh` | | Rsync to dev VM | `bash scripts/dev-vm/rsync-projects-to-dev-vm.sh [--dry-run]` (after SSH keys) | | Dev/Codespaces tunnel+DNS | `bash scripts/cloudflare/configure-dev-codespaces-tunnel-and-dns.sh` | | Security on Proxmox hosts | `bash scripts/security/run-security-on-proxmox-hosts.sh [--apply]` | | NPMplus backup | `bash scripts/verify/backup-npmplus.sh` | | Wave 0 via SSH | `bash scripts/run-via-proxmox-ssh.sh wave0 --host 192.168.11.11` | | Bridge (real) | `bash scripts/bridge/run-send-cross-chain.sh 0.01` | | Deploy contracts (Chain 138) | `cd smom-dbis-138 && source .env && bash scripts/deployment/deploy-all-contracts.sh` | | Verify contracts (Blockscout) | `source smom-dbis-138/.env && ./scripts/verify/run-contract-verification-with-proxy.sh` | | Push all projects to Gitea | `GITEA_TOKEN=xxx bash scripts/dev-vm/push-all-projects-to-gitea.sh` | | Add as4-411 submodule to Sankofa (Phoenix) | `bash scripts/dev-vm/add-as4-411-submodule-to-sankofa.sh` | | SSH key auth | `bash scripts/security/setup-ssh-key-auth.sh --apply` (on each host) | | Firewall 8006 | `bash scripts/security/firewall-proxmox-8006.sh --apply` |